The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size reserved for BL2 has been increased.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.
NOTE: The original definition of
http://www.ti.com/lit/ds/symlink/pc16550d.pdf has no MDR register, but
many TI SoCs implementing 16550 do have a quirky MDR register
implemented. So, this should be enabled with TI_16550_MDR_QUIRK
NOTE: In such implementation, the CSR register does not exist.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
In 'console_set_scope' and when registering a console, field 'flags' of
'console_t' is assigned a 32-bit value. However, when it is actually
used, the functions perform 64-bit reads to access its value. This patch
changes all 64-bit reads to 32-bit reads.
Change-Id: I181349371409e60065335f078857946fa3c32dc1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This reverts commit 2f18aa1fa3.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size of BL31 has been increased in builds with SPM.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the multi console driver, allowing to register the same console more
than once may result in an infinte loop when putc is called.
If, for example, a boot message is trying to be printed, but the
consoles in the loop in the linked list are runtime consoles, putc will
iterate forever looking for a console that can print boot messages (or
a NULL pointer that will never come).
This loop in the linked list can occur after restoring the system from a
system suspend. The boot console is registered during the cold boot in
BL31, but the runtime console is registered even in the warm boot path.
Consoles are always added to the start of the linked list when they are
registered, so this it what should happen if they were actually
different structures:
console_list -> NULL
console_list -> BOOT -> NULL
console_list -> RUNTIME -> BOOT -> NULL
console_list -> RUNTIME -> RUNTIME -> BOOT -> NULL
In practice, the two runtime consoles are the same one, so they create
this loop:
console_list -> RUNTIME -. X -> BOOT -> NULL
^ |
`----'
This patch adds an assertion to detect this problem. The assertion will
fail whenever the same structure tries to be registered while being on
the list.
In order to assert this, console_is_registered() has been implemented.
It returns 1 if the specified console is registered, 0 if not.
Change-Id: I922485e743775ca9bd1af9cbd491ddd360526a6d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
Change-Id: Ie4cd6011b3e4fdcdd94ccb97a7e941f3b5b7aeb8
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Some low end platforms using DMC500 memory controller do not have
CCI(Cache Coherent Interconnect) interface and only have non-coherent
system interface support. Hence this patch makes the system interface
count configurable from the platforms.
Change-Id: I6d54c90eb72fd18026c6470c1f7fd26c59dc4b9a
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Use the console_pl011_core_* functions directly in the crash console
callbacks.
This bypasses the MULTI_CONSOLE_API for the crash console (UART1), but
allows using the crash console before the C runtime has been initialized
(eg to call ASM_ASSERT). This retains backwards compatibility with respect
to functionality when the old API is used.
Use the MULTI_CONSOLE_API to register UART0 as the boot and runtime
console.
FixesARM-software/tf-issues#572
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
- Interrupt configuration is a 2-bit field, so the field shift has to
be double that of the bit number.
- Interrupt configuration (level- or edge-trigger) is specified in the
MSB of the field, not LSB.
Fixes applied to both GICv2 and GICv3 drivers.
FixesARM-software/tf-issues#570
Change-Id: Ia6ae6ed9ba9fb0e3eb0f921a833af48e365ba359
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add crash_console_init declaration to console.h
Only enable MULTI_CONSOLE_API for AArch64
FixesARM-software/tf-issues#571
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Emit runtime warnings when intializing the GIC drivers using the
deprecated method of defining integer interrupt arrays in the GIC driver
data structures; interrupt_prop_t arrays should be used instead. This
helps platforms detect that they have migration work to do. Previously,
no warning was emitted in this case. This affects both the GICv2 and GICv3
drivers.
Also use the __deprecated attribute to emit a build time warning if these
deprecated fields are used. These warnings are suppressed in the GIC
driver compatibility functions but will be visible if platforms use them.
Change-Id: I6b6b8f6c3b4920c448b6dcb82fc18442cfdf6c7a
Signed-off-by: Dan Handley <dan.handley@arm.com>
For platforms that have not migrated to MULTI_CONSOLE_API == 1, there
are a lot of confusing deprecated declaration warnings relating to
use of console_init() and console_uninit(). Some of these relate to use
by the generic code, not the platform code. These functions are not really
deprecated but *removed* when MULTI_CONSOLE_API == 1.
This patch consolidates these warnings into a single preprocessor warning.
The __deprecated attribute is removed from the console_init() and
console_uninit() declarations.
For preprocessor warnings like this to not cause fatal build errors,
this patch adds -Wno-error=cpp to the build flags when
ERROR_DEPRECATED == 0.
This option (and -Wno-error=deprecated-declarations) is now added to
CPPFLAGS instead of TF_CFLAGS to ensure the build flags are used in the
assembler as well as the compiler.
This patch also disentangles the MULTI_CONSOLE_API and ERROR_DEPRECATED
build flags by defaulting MULTI_CONSOLE_API to 0 instead of
ERROR_DEPRECATED. This allows platforms that have not migrated to
MULTI_CONSOLE_API to use ERROR_DEPRECATED == 1 to emit a more meaningful
build error.
Finally, this patch bans use of MULTI_CONSOLE_API == 1 and AARCH32, since
the AArch32 console implementation does not support
MULTI_CONSOLE_API == 1.
Change-Id: If762165ddcb90c28aa7a4951aba70cb15c2b709c
Signed-off-by: Dan Handley <dan.handley@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I48201c9ef022f6bd42ea8644529afce70f9b3f22
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Hynix ufs has deviations on hi36xx platform which will result
in ufs bursts transfer failures at a very low probability.
To fix the problem, the Hynix device must set the register
VS_DebugSaveConfigTime to 0x10, which will set time reference
for SaveConfigTime is 250 ns. The time reference for SaveConfigTime
is 40 ns by default.
Signed-off-by: fengbaopeng <fengbaopeng@hisilicon.com>
coreboot supports an in-memory console to store firmware logs even when
no serial console is available. It is widely supported by
coreboot-compatible bootloaders (including SeaBIOS and GRUB) and can be
read by the Linux kernel.
This patch allows BL31 to add its own log messages to this console. The
driver will be registered automatically if coreboot support is compiled
in and detects the presence of a console buffer in the coreboot tables.
Change-Id: I31254dfa0c2fdeb7454634134b5707b4b4154907
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the Cadence CDNS console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: I2ef8fb0d6ab72696997db1e0243a533499569d6b
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the ARM PL011 console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: Ic34e4158addbb0c5fae500c9cff899c05a4f4206
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the TI 16550 console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: I60a44b7ba3c35c74561824c04b8dbe3e3039324c
Signed-off-by: Julius Werner <jwerner@chromium.org>
Add some macros according to JEDEC Standard Embedded Multi-Media
Card (eMMC) Electrical Standard (5.1)": Table 145 - Bus Mode
Selection.
Change-Id: Iaa45e0582653ef4290efd60d039f0bdc420eeb47
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
This patch overhauls the console API to allow for multiple console
instances of different drivers that are active at the same time. Instead
of binding to well-known function names (like console_core_init),
consoles now provide a register function (e.g. console_16550_register())
that will hook them into the list of active consoles. All console
operations will be dispatched to all consoles currently in the list.
The new API will be selected by the build-time option MULTI_CONSOLE_API,
which defaults to ${ERROR_DEPRECATED} for now. The old console API code
will be retained to stay backwards-compatible to older platforms, but
should no longer be used for any newly added platforms and can hopefully
be removed at some point in the future.
The new console API is intended to be used for both normal (bootup) and
crash use cases, freeing platforms of the need to set up the crash
console separately. Consoles can be individually configured to be active
active at boot (until first handoff to EL2), at runtime (after first
handoff to EL2), and/or after a crash. Console drivers should set a sane
default upon registration that can be overridden with the
console_set_scope() call. Code to hook up the crash reporting mechanism
to this framework will be added with a later patch.
This patch only affects AArch64, but the new API could easily be ported
to AArch32 as well if desired.
Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
Signed-off-by: Julius Werner <jwerner@chromium.org>
The flag support the following values:
- sha256 (default)
- sha384
- sha512
Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
On GICv3 systems, as a side effect of adding provision to handle EL3
interrupts (unconditionally routing FIQs to EL3), pending Non-secure
interrupts (signalled as FIQs) may preempt execution in lower Secure ELs
[1]. This will inadvertently disrupt the semantics of Fast SMC
(previously called Atomic SMC) calls.
To retain semantics of Fast SMCs, the GIC PMR must be programmed to
prevent Non-secure interrupts from preempting Secure execution. To that
effect, two new functions in the Exception Handling Framework subscribe
to events introduced in an earlier commit:
- Upon 'cm_exited_normal_world', the Non-secure PMR is stashed, and
the PMR is programmed to the highest Non-secure interrupt priority.
- Upon 'cm_entering_normal_world', the previously stashed Non-secure
PMR is restored.
The above sequence however prevents Yielding SMCs from being preempted
by Non-secure interrupts as intended. To facilitate this, the public API
exc_allow_ns_preemption() is introduced that programs the PMR to the
original Non-secure PMR value. Another API
exc_is_ns_preemption_allowed() is also introduced to check if
exc_allow_ns_preemption() had been called previously.
API documentation to follow.
[1] On GICv2 systems, this isn't a problem as, unlike GICv3, pending NS
IRQs during Secure execution are signalled as IRQs, which aren't
routed to EL3.
Change-Id: Ief96b162b0067179b1012332cd991ee1b3051dd0
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Acknowledging interrupt shall return a raw value from the interrupt
controller in which the actual interrupt ID may be encoded. Add a
platform API to extract the actual interrupt ID from the raw value
obtained from interrupt controller.
Document the new function. Also clarify the semantics of interrupt
acknowledge.
Change-Id: I818dad7be47661658b16f9807877d259eb127405
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Some SoCs integrate a GIC in version 1 that is currently not supported
by the trusted firmware. This change hijacks GICv2 driver to handle the
GICv1 as GICv1 is compatible enough with GICv2 as far as the platform
does not attempt to play with virtualization support or some GICv2
specific power features.
Note that current trusted firmware does not use these GICv2 features
that are not available in GICv1 Security Extension.
Change-Id: Ic2cb3055f1319a83455571d6d918661da583f179
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
For Trusted Board Boot, BL2 needs more space to support the ECDSA
and ECDSA+RSA algorithms.
Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
An earlier patch added provision for the platform to provide secure
interrupt properties. ARM platforms already has a list of interrupts
that fall into different secure groups.
This patch defines macros that enumerate interrupt properties in the
same fashion, and points the driver driver data to a list of interrupt
properties rather than list of secure interrupts on ARM platforms. The
deprecated interrupt list definitions are however retained to support
legacy builds.
Configuration applied to individual interrupts remain unchanged, so no
runtime behaviour change expected.
NOTE: Platforms that use the arm/common function
plat_arm_gic_driver_init() must replace their PLAT_ARM_G1S_IRQS and
PLAT_ARM_G0_IRQS macro definitions with PLAT_ARM_G1S_IRQ_PROPS and
PLAT_ARM_G0_IRQ_PROPS macros respectively, using the provided
INTR_PROP_DESC macro.
Change-Id: I24d643b83e3333753a3ba97d4b6fb71e16bb0952
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The GIC driver initialization currently allows an array of interrupts to
be configured as secure. Future use cases would require more interrupt
configuration other than just security, such as priority.
This patch introduces a new interrupt property array as part of both
GICv2 and GICv3 driver data. The platform can populate the array with
interrupt numbers and respective properties. The corresponding driver
initialization iterates through the array, and applies interrupt
configuration as required.
This capability, and the current way of supplying array (or arrays, in
case of GICv3) of secure interrupts, are however mutually exclusive.
Henceforth, the platform should supply either:
- A list of interrupts to be mapped as secure (the current way).
Platforms that do this will continue working as they were. With this
patch, this scheme is deprecated.
- A list of interrupt properties (properties include interrupt group).
Individual interrupt properties are specified via. descriptors of
type 'interrupt_prop_desc_t', which can be populated with the macro
INTR_PROP_DESC().
A run time assert checks that the platform doesn't specify both.
Henceforth the old scheme of providing list of secure interrupts is
deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
that the interrupt properties are supplied instead of an array of secure
interrupts.
Add a section to firmware design about configuring secure interrupts.
FixesARM-software/tf-issues#262
Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The helpers perform read-modify-write on GIC*_ICFGR registers, but don't
serialise callers. Any serialisation must be taken care of by the
callers.
Change-Id: I71995f82ff2c7f70d37af0ede30d6ee18682fd3f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
SPIs can be routed to either a specific PE, or to any one of all
available PEs.
API documentation updated.
Change-Id: I28675f634568aaf4ea1aa8aa7ebf25b419a963ed
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The back end GIC driver converts and assigns the interrupt type to
suitable group.
For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which
determines to which type Group 0 interrupts maps to.
- When the build option is set 0 (the default), Group 0 interrupts are
meant for Secure EL1. This is presently the case.
- Otherwise, Group 0 interrupts are meant for EL3. This means the SPD
will have to synchronously hand over the interrupt to Secure EL1.
The query API allows the platform to query whether the platform supports
interrupts of a given type.
API documentation updated.
Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These APIs allow the GIC implementation to categorize interrupt numbers
into SPIs, PPIs, and SGIs. The default implementations for GICv2 and
GICv3 follows interrupt numbering as specified by the ARM GIC
architecture.
API documentation updated.
Change-Id: Ia6aa379dc955994333232e6138f259535d4fa087
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The PE target mask is used to translate linear PE index (returned by
platform core position) to a bit mask used when targeting interrupts to
a PE, viz. when raising SGIs and routing SPIs.
The platform shall:
- Populate the driver data with a pointer to array that's to contain
per-PE target masks.
- Invoke the new driver API 'gicv2_set_pe_target_mask()' during
per-CPU initialization so that the driver populates the target mask
for that CPU.
Platforms that don't intend to target interrupts or raise SGIs need not
populate this.
Change-Id: Ic0db54da86915e9dccd82fff51479bc3c1fdc968
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Document the API in separate platform interrupt controller API document.
Change-Id: If18f208e10a8a243f5c59d226fcf48e985941949
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch adds functions to save and restore GICv3 ITS registers during
system suspend. Please note that the power management of GIC ITS is
implementation defined. These functions only implements the
architectural part of the ITS power management and they do not restore
memory structures or register content required to support ITS. Even if
the ITS implementation stores structures in memory, an implementation
defined power down sequence is likely to be required to flush some
internal ITS caches to memory. If such implementation defined sequence
is not followed, the platform must ensure that the ITS is not power
gated during system suspend.
Change-Id: I5f31e5541975aa7dcaab69b0b7f67583c0e27678
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
During system suspend, the GICv3 Distributor and Redistributor context
can be lost due to power gating of the system power domain. This means
that the GICv3 context needs to be saved prior to system suspend and
restored on wakeup. Currently the consensus is that the Firmware should
be in charge of this. See tf-issues#464 for more details.
This patch introduces helper APIs in the GICv3 driver to save and
restore the Distributor and Redistributor contexts. The GICv3 ITS
context is not considered in this patch because the specification says
that the details of ITS power management is implementation-defined.
These APIs are expected to be appropriately invoked by the platform
layer during system suspend.
FixesARM-software/tf-issues#464
Change-Id: Iebb9c6770ab8c4d522546f161fa402d2fe02ec00
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Add new option rsa+ecdsa for TF_MBEDTLS_KEY_ALG, which selects
rsa or ecdsa depending on the certificate used.
Change-Id: I08d9e99bdbba361ed2ec5624248dc382c750ad47
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
The type `unsigned long` is 32 bit wide in AArch32, but 64 bit wide in
AArch64. This is inconsistent and that's why we avoid using it as per
the Coding Guidelines. This patch changes all `UL` occurrences to `U`
or `ULL` depending on the context so that the size of the constant is
clear.
This problem affected the macro `BIT(nr)`. As long as this macro is used
to fill fields of registers, that's not a problem, since all registers
are 32 bit wide in AArch32 and 64 bit wide in AArch64. However, if the
macro is used to fill the fields of a 64-bit integer, it won't be able
to set the upper 32 bits in AArch32.
By changing the type of this macro to `unsigned long long` the behaviour
is always the same regardless of the architecture, as this type is
64-bit wide in both cases.
Some Tegra platform files have been modified by this patch.
Change-Id: I918264c03e7d691a931f0d1018df25a2796cc221
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The driver has only one API: to initialize an SMMUv3 device. This
operates on a device that implements secure state, by invalidating
secure caches and TLBs.
Change-Id: Ief32800419ddf0f1fe38c8f0da8f5ba75c72c826
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current build system and driver requires the CCI product to be
specified at build time. The device constraints can be determined at run
time from its ID registers, obviating the need for specifying them
ahead.
This patch adds changes to identify and validate CCI at run time. Some
global variables are renamed to be in line with the rest of the code
base.
The build option ARM_CCI_PRODUCT_ID is now removed, and user guide is
updated.
Change-Id: Ibb765e349d3bc95ff3eb9a64bde1207ab710a93d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch adds header files with required declarations and
macro definitions to enable integration with CryptoCell SBROM
version `CC712 – Release 1.0.0.1061`. These headers enable ARM
Trusted Firmware to build and link with CryptoCell SBROM
library.
Change-Id: I501eda7fe1429acb61db8e1cab78cc9aee9c1871
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch uses the U() and ULL() macros for constants, to fix some
of the signed-ness defects flagged by the MISRA scanner.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds support for RSASSA-PSS Signature Algorithm for
X509 certificates in mbedtls crypto driver. Now the driver supports
RSA PKCS2_1 standard as mandated by TBBR.
NOTE: With this patch, the PKCS1_5 standard compliant RSA signature
is deprecated.
Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
If UFS device is initialized, we could just make it out of
hibernation by UFS_FLAGS_SKIPINIT. And vendor's dirver is always
focus on PHY setting. We could use UFS driver directly if it
exits from hibernation.
There're eight LUNs in UFS device. The UFS driver only provides
the read/write API with LUN. User could define his own read/write
since user may want to access different LUNs.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
The Trusted Firmware uses a subset of the APIs provided by mbed TLS.
This subset internally uses `snprintf`, but the only format specifier
used is '%d', which is supported by `tf_snprintf`.
This patch makes mbed TLS use `tf_snprintf` instead of `snprintf`,
saving 3 KB in both debug and release builds when TBBR is enabled.
Change-Id: I7f992a21015930d7c0f4660e7a28ceefd60b9597
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
An earlier patch (arm-trusted-firmware#874) migrated MBEDTLS_ suffixed
macros to have a TBBR_ suffix to avoid any potential clash with future
mbedtls macros.
But on reflection the TBBR_ suffix could be confusing as the macros
are used to drive TF-specific configuration of mbedtls. As such
this patch migrates these macros from TBBR_suffix to TF_MBEDTLS_
suffix which more accurately conveys their use.
Change-Id: Ic87642b653ceeaa03d62f724976abd5e12e867d4
Signed-off-by: David Cunado <david.cunado@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
This function ensures that console output is flushed, for example
before shutting down or use by another component
In line with other console APIs, console_flush() wraps
console_core_flush().
Also implement console_core_flush() for PL011.
Change-Id: I3db365065e4de04a454a5c2ce21be335a23a01e4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
These macros are not part of mbed TLS so they should not be prefixed
with `MBEDTLS_` to avoid potential collision in the future. Use the
`TBBR_` suffix to highlight that they only used in TF.
`MBEDTLS_KEY_ALG` was not modified because that is documented and used
by platforms to select the key algorithm.
Change-Id: Ief224681715c481691c80810501830ce16e210b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
tbz check for RDR status is to check for a bit being zero.
Unfortunately, we are using a mask rather than the bit position.
Further as per http://www.ti.com/lit/ds/symlink/pc16550d.pdf (page 17),
LSR register bit 0 is Data ready status (RDR), not bit position 2.
Update the same to match the specification.
Reported-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Some GICv3 implementations have provision for power management
operations at Redistributor level. This patch introduces and provides
place-holders for Redistributor power management. The default
implementations are empty stubs, but are weakly bound so as to enable
implementation-specific drivers to override them.
Change-Id: I4fec1358693d3603ca5dce242a2f7f0e730516d8
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Some files have incorrect copyright notices, this patch fixes all
files with deviations from the standard notice.
Change-Id: I66b73e78a50a235acb55f1e2ec2052a42c0570d2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
C99 restricts bitfields type is signed and unsigned integer or _Bool.
See section 6.7.2.1 Structure and union specifiers.
"A bit-field shall have a type that is a qualified or unqualified version
of _Bool, signed int, unsigned int, or some other implementation-defined type."
Since the compiler packs bitfields anyways, actual data layout in the structure is unaffected.
Signed-off-by: Alex Nemirovsky <alex.nemirovsky@cortina-access.com>
Support CMD23. When CMD23 is used, CMD12 could be avoided.
Two scenarios:
1. CMD17 for single block, CMD18 + CMD12 for multiple blocks.
2. CMD23 + CMD18 for both single block and multiple blocks.
The emmc_init() should initialize whether CMD23 is supported
or not.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
This patch fixes the offset of GICD_IROUTER register defined in gicv3.h.
Although the GICv3 documention mentions that the offset for this register
is 0x6100-0x7FD8, the offset calculation for an interrupt id `n` is :
0x6000 + 8n, where n >= 32
This requires the offset for GICD_IROUTER to be defined as 0x6000.
FixesARM-software/tf-issues#410
Change-Id: If9e91e30d946afe7f1f60fea4f065c7567093fa8
This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:
* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.
In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.
Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
On some platform gpio can set/get pull status when input, add these
function so we can set/get gpio pull status when need it. And they are
optional function.
This patch adds the API `ccn_get_part0_id` to query the PART0 ID from the
PERIPHERAL_ID 0 register in the CCN driver. This ID allows to distinguish
the variant of CCN present on the system and possibly enable dynamic
configuration of the IP based on the variant. Also added an assert in
`ccn_master_to_rn_id_map()` to ensure that the master map bitfield provided
by the platform is within the expected interface id.
Change-Id: I92d2db7bd93a9be8a7fbe72a522cbcba0aba2d0e
Add delay timer implementation based on the system generic counter.
This either uses the platform's implementation of
`plat_get_syscnt_freq()` or explicit clock multiplier/divider values
provided by the platform.
The current implementation of udelay has been modified to avoid
unnecessary calculations while waiting on the loop and to make it
easier to check for overflows.
Change-Id: I9062e1d506dc2f68367fd9289250b93444721732
Allow to handle cases where some images are pre-loaded (by debugger for
instance) without introducing many switches in files calling load_* functions.
Fixes: arm-software/tf-issues#398
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
In a lot of embedded platforms, eMMC device is the only one storage
device. So loading content from eMMC device is required in ATF.
Create the emmc stack that could co-work with IO block driver.
Support to read/write/erase eMMC blocks on both rpmb and normal
user area. Support to change the IO speed and bus width.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
FIP is accessed as memory-mapped type. eMMC is block device type.
In order to support FIP based on eMMC, add the new io_block layer.
io_block always access eMMC device as block size. And it'll only
copy the required data into buffer in io_block driver. So preparing
an temporary buffer is required.
When use io_block device, MAX_IO_BLOCK_DEVICES should be declared
in platform_def.h. It's used to support multiple block devices.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Currently the `tzc400_configure_region` and `tzc_dmc500_configure_region`
functions uses uintptr_t as the data type for `region_top` and `region_base`
variables, which will be converted to 32/64 bits for AArch32/AArch64
respectively. But the expectation is to keep these addresses at least 64 bit.
This patch modifies the data types to make it at least 64 bit by using
unsigned long long instead of uintptr_t for the `region_top` and
`region_base` variables. It also modifies the associated macros
`_tzc##fn_name##_write_region_xxx` accordingly.
Change-Id: I4e3c6a8a39ad04205cf0f3bda336c3970b15a28b
The ARM CoreLink DMC-500 Dynamic Memory Controller provides the
programmable address region control of a TrustZone Address Space
Controller. The access permissions can be defined for eight
separate address regions plus a background or default region.
This patch adds a DMC-500 driver to define address regions and
program their access permissions as per ARM 100131_0000_02_en
(r0p0) document.
Change-Id: I9d33120f9480d742bcf7937e4b876f9d40c727e6
TrustZone protection can be programmed by both memory and TrustZone
address space controllers like DMC-500 and TZC-400. These peripherals
share a similar programmer's view.
Furthermore, it is possible to have multiple instances of each type of
peripheral in a system resulting in multiple programmer's views.
For example, on the TZC-400 each of the 4 filter units can be enabled
or disabled for each region. There is a single set of registers to
program the region attributes. On the DMC-500, each filter unit has its
own programmer's view resulting in multiple sets of registers to program
the region attributes. The layout of the registers is almost the same
across all these variations.
Hence the existing driver in `tzc400\tzc400.c` is refactored into the
new driver in `tzc\tzc400.c`. The previous driver file is still maintained
for compatibility and it is now deprecated.
Change-Id: Ieabd0528e244582875bc7e65029a00517671216d
This patch adds support for non-volatile counter authentication to
the Authentication Module. This method consists of matching the
counter values provided in the certificates with the ones stored
in the platform. If the value from the certificate is lower than
the platform, the boot process is aborted. This mechanism protects
the system against rollback.
The TBBR CoT has been updated to include this method as part of the
authentication process. Two counters are used: one for the trusted
world images and another for the non trusted world images.
** NEW PLATFORM APIs (mandatory when TBB is enabled) **
int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);
This API returns the non-volatile counter value stored
in the platform. The cookie in the first argument may be
used to select the counter in case the platform provides
more than one (i.e. TBSA compliant platforms must provide
trusted and non-trusted counters). This cookie is specified
in the CoT.
int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);
This API sets a new counter value. The cookie may be
used to select the counter to be updated.
An implementation of these new APIs for ARM platforms is also
provided. The values are obtained from the Trusted Non-Volatile
Counters peripheral. The cookie is used to pass the extension OID.
This OID may be interpreted by the platform to know which counter
must return. On Juno, The trusted and non-trusted counter values
have been tied to 31 and 223, respectively, and cannot be modified.
** IMPORTANT **
THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
ORDER TO SUCCESSFULLY BUILD TF.
Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a
This patch moves the private GIC common accessors from `gic_common.h` to
a new private header file `gic_common_private.h`. This patch also adds
additional comments to GIC register accessors to highlight the fact
that some of them access register values that correspond to multiple
interrupt IDs. The convention used is that the `set`, `get` and `clr`
accessors access and modify the values corresponding to a single interrupt
ID whereas the `read` and `write` GIC register accessors access the raw
GIC registers and it could correspond to multiple interrupt IDs depending
on the register accessed.
Change-Id: I2643ecb2533f01e3d3219fcedfb5f80c120622f9
The code to set the interrupt priority for secure interrupts in the
new GICv2 and GICv3 drivers is incorrect. The setup code to configure
interrupt priorities of secure interrupts, one interrupt at a time, used
gicd_write_ipriorityr()/gicr_write_ipriority() function affecting
4 interrupts at a time. This bug did not manifest itself because all the
secure interrupts were configured to the highest secure priority(0) during
cold boot and the adjacent non secure interrupt priority would be configured
later by the normal world. This patch introduces new accessors,
gicd_set_ipriorityr() and gicr_set_ipriorityr(), for configuring priority
one interrupt at a time and fixes the the setup code to use the new
accessors.
FixesARM-software/tf-issues#344
Change-Id: I470fd74d2b7fce7058b55d83f604be05a27e1341
The PL011 TRM (ARM DDI 0183G) specifies that the UART must be
disabled before any of the control registers are programmed. The
PL011 driver included in TF does not disable the UART, so the
initialization in BL2 and BL31 is violating this requirement
(and potentially in BL1 if the UART is enabled after reset).
This patch modifies the initialization function in the PL011
console driver to disable the UART before programming the
control registers.
Register clobber list and documentation updated.
FixesARM-software/tf-issues#300
Change-Id: I839b2d681d48b03f821ac53663a6a78e8b30a1a1
Migrate all direct usage of __attribute__ to usage of their
corresponding macros from cdefs.h.
e.g.:
- __attribute__((unused)) -> __unused
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Use the new __deprecated macro from the generic cdefs header and remove
the deprecated __warn_deprecated.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
This patch rearranges fields of the `image_desc_t` & `auth_img_desc_t`
data structures to reduce padding between the fields and thereby
save memory.
NOTE: Platform ports which anonymously initialize these structures
should be aware of the rearrangement and do the required
modification.
Change-Id: I428b5429632797b31d5bd306174599c07e24c060
By default ARM TF is built with the '-pedantic' compiler flag, which
helps detecting violations of the C standard. However, the mbed TLS
library and its associated authentication module in TF used to fail
building with this compiler flag. As a workaround, the mbed TLS
authentication module makefile used to set the 'DISABLE_PEDANTIC'
TF build flag.
The compiler errors flagged by '-pedantic' in the mbed TLS library
have been fixed between versions 1.3.9 and 2.2.0 and the library now
properly builds with this compiler flag.
This patch fixes the remaining compiler errors in the mbed TLS
authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
build flag. This means that TF is now always built with '-pedantic'.
In particular, this patch:
* Removes the final semi-colon in REGISTER_COT() macro.
This semi-colon was causing the following error message:
drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
extra ';' outside of a function [-Werror=pedantic]
This has been fixed both in the mbed TLS authentication module
as well as in the certificate generation tool. Note that the latter
code didn't need fixing since it is not built with '-pedantic' but
the change has been propagated for consistency.
Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
which were suffering from the same issue.
* Fixes a pointer type.
It was causing the following error message:
drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
type 'void *' used in arithmetic [-Werror=pointer-arith]
Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
The mbed TLS library has introduced some changes in the API from
the 1.3.x to the 2.x releases. Using the 2.x releases requires
some changes to the crypto and transport modules.
This patch updates both modules to the mbed TLS 2.x API.
All references to the mbed TLS library in the code or documentation
have been updated to 'mbed TLS'. Old references to PolarSSL have
been updated to 'mbed TLS'.
User guide updated to use mbed TLS 2.2.0.
NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
Applying this patch will require an mbed TLS 2.x release to be used.
Also note that the mbed TLS license changed to Apache version 2.0.
Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
The Server Base System Architecture document (ARM-DEN-0029)
specifies a generic UART device. The programmer's view of this
generic UART is a subset of the ARM PL011 UART. However, the
current PL011 driver in Trusted Firmware uses some features
that are outside the generic UART specification.
This patch modifies the PL011 driver to exclude features outside
the SBSA generic UART specification by setting the boolean build
option 'PL011_GENERIC_UART=1'. Default value is 0 (use full
PL011 features).
User guide updated.
FixesARM-software/tf-issues#216
Change-Id: I6e0eb86f9d69569bc3980fb57e70d6da5d91a737
Allowing console base address to be set to NULL conveniently
allows console driver to ignore further invocations to console_putc()
and console_getc(). This patch adds `console_uninit()` API to the
console driver which sets console base address as NULL. The BL images can
invoke this API to finish the use of console and ignore any further
invocations to print to the console.
Change-Id: I00a1762b3e0b7c55f2be2f9c4c9bee3967189dde
Add compile time `__warn_deprecated` flag to public api's in CCI-400
specific driver so that user is aware of the driver being deprecated.
Similarly, it also adds an error message when `ERROR_DEPRECATED` is set
to prevent succesful compilation if CCI-400 specific driver is used.
Change-Id: Id7e61a560262abc01cbbd432ca85b9bf448a194d
This patch renames the GICv3 interrupt group macros from
INT_TYPE_G0, INT_TYPE_G1S and INT_TYPE_G1NS to INTR_GROUP0,
INTR_GROUP1S and INTR_GROUP1NS respectively.
Change-Id: I40c66f589ce6234fa42205adcd91f7d6ad8f33d4
This patch fixes several issues with the SP804 delay timer on FVP:
* By default, the SP804 dual timer on FVP runs at 32 KHz. In order
to run the timer at 35 MHz (as specified in the FVP user manual)
the Overwrite bit in the SP810 control register must be set.
* The CLKMULT and CLKDIV definitions are mixed up:
delta(us) = delta(ticks) * T(us) = delta(ticks) / f(MHz)
From the delay function:
delta_us = (delta * ops->clk_mult) / ops->clk_div;
Matching both expressions:
1 / f(MHz) = ops->clk_mult / ops->clk_div
And consequently:
f(MHz) = ops->clk_div / ops->clk_mult
Which, for a 35 MHz timer, translates to:
ops->clk_div = 35
ops->clk_mult = 1
* The comment in the delay timer header file has been corrected:
The ratio of the multiplier and the divider is the clock period
in microseconds, not the frequency.
Change-Id: Iffd5ce0a5a28fa47c0720c0336d81b678ff8fdf1
The TZC-400 driver implementation incorrectly uses the component
ID registers to detect the TZC-400 peripheral. As all ARM
peripherals share the same component ID, it doesn't allow to
uniquely identify the TZC-400 peripheral. This patch fixes the
TZC-400 driver by relying on the `part_number_0` and
`part_number_1` fields in the `PID` registers instead.
The `tzc_read_component_id` function has been replaced by
`tzc_read_peripheral_id`, which reads the 'part_number' values
and compares them with the TZC-400 peripheral ID.
Also, it adds a debug assertion to detect when the TZC driver
initialisation function is called multiple times.
Change-Id: I35949f6501a51c0a794144cd1c3a6db62440dce6
Based on SP805 Programmer's model (ARM DDI 0270B). This driver
provides three public APIs:
void sp805_start(uintptr_t base, unsigned long ticks);
void sp805_stop(uintptr_t base);
void sp805_refresh(uintptr_t base, unsigned long ticks);
Upon start, the watchdog starts counting down from the number of
ticks specified. When the count reaches 0 an interrupt is triggered.
The watchdog restarts counting down from the number of ticks
specified. If the count reaches 0 again, the system is reset. A
mechanism to handle the interrupt has not been implemented. Instead,
the API to refresh the watchdog should be used instead to prevent a
system reset.
Change-Id: I799d53f8d1213b10b341a4a67fde6486e89a3dab
This patch deprecates the legacy ARM GIC driver and related header files
(arm_gic.h, gic_v2.h, gic_v3.h). For GICv2 systems, platform ports should
use the GICv2 driver in include/drivers/arm/gicv2.h and for GICv3 systems,
platform ports should use the GICv3 driver in include/drivers/arm/gicv3.h
NOTE: The ARM Legacy GIC drivers have been deprecated with this patch.
Platform ports are encouraged to migrate to the new GIC drivers.
Change-Id: Ic0460ef0427b54a6aac476279a7f29b81943e942
This patch adds a driver for ARM GICv2 systems, example GIC-400. Unlike
the existing GIC driver in `include/drivers/arm/arm_gic.h`, this driver
is optimised for GICv2 and does not support GICv3 systems in GICv2
compatibility mode. The driver interface has been implemented in
`drivers/arm/gic/v2/gicv2_main.c`. The corresponding header is in
`include/drivers/arm/gicv2.h`. Helper functions are implemented in
`drivers/arm/gic/v2/gicv2_helpers.c` and are accessible through the
`drivers/arm/gic/v2/gicv2_private.h` header.
Change-Id: I09fffa4e621fb99ba3c01204839894816cd89a2a
This patch adds a driver for ARM GICv3 systems that need to run software
stacks where affinity routing is enabled across all privileged exception
levels for both security states. This driver is a partial implementation
of the ARM Generic Interrupt Controller Architecture Specification, GIC
architecture version 3.0 and version 4.0 (ARM IHI 0069A). The driver does
not cater for legacy support of interrupts and asymmetric configurations.
The existing GIC driver has been preserved unchanged. The common code for
GICv2 and GICv3 systems has been refactored into a new file,
`drivers/arm/gic/common/gic_common.c`. The corresponding header is in
`include/drivers/arm/gic_common.h`.
The driver interface is implemented in `drivers/arm/gic/v3/gicv3_main.c`.
The corresponding header is in `include/drivers/arm/gicv3.h`. Helper
functions are implemented in `drivers/arm/gic/v3/arm_gicv3_helpers.c`
and are accessible through the `drivers/arm/gic/v3/gicv3_private.h`
header.
Change-Id: I8c3c834a1d049d05b776b4dcb76b18ccb927444a
Patch 7e26fe1f deprecates IO specific return definitions in favour
of standard errno codes. This patch removes those definitions
and its usage from the IO framework, IO drivers and IO platform
layer. Following this patch, standard errno codes must be used
when checking the return value of an IO function.
Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
This patch redefines the values of IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED to match the corresponding definitions in
errno.h:
#define IO_FAIL (-ENOENT)
#define IO_NOT_SUPPORTED (-ENODEV)
#define IO_RESOURCES_EXHAUSTED (-ENOMEM)
NOTE: please note that the IO_FAIL, IO_NOT_SUPPORTED and
IO_RESOURCES_EXHAUSTED definitions are considered deprecated
and their usage should be avoided. Callers should rely on errno.h
definitions when checking the return values of IO functions.
Change-Id: Ic8491aa43384b6ee44951ebfc053a3ded16a80be
The generic delay timer driver expects a pointer to a timer_ops_t
structure containing the specific timer driver information. It
doesn't make a copy of the structure, instead it just keeps the
pointer. Therefore, this pointer must remain valid over time.
The SP804 driver doesn't satisfy this requirement. The
sp804_timer_init() macro creates a temporary instanciation of the
timer_ops_t structure on the fly and passes it to the generic
delay timer. When this temporary instanciation gets deallocated,
the generic delay timer is left with a pointer to invalid data.
This patch fixes this bug by statically allocating the SP804
timer_ops_t structure.
Change-Id: I8fbf75907583aef06701e3fd9fabe0b2c9bc95bf
This patch adds a device driver which can be used to program the following
aspects of ARM CCN IP:
1. Specify the mapping between ACE/ACELite/ACELite+DVM/CHI master interfaces and
Request nodes.
2. Add and remove master interfaces from the snoop and dvm
domains.
3. Place the L3 cache in a given power state.
4. Configuring system adress map and enabling 3 SN striping mode of memory
controller operation.
Change-Id: I0f665c6a306938e5b66f6a92f8549b529aa8f325
Currently, on ARM platforms(ex. Juno) non-secure access to specific
peripheral regions, config registers which are inside and outside CSS
is done in the soc_css_security_setup(). This patch separates the CSS
security setup from the SOC security setup in the css_security_setup().
The CSS security setup involves programming of the internal NIC to
provide access to regions inside the CSS. This is needed only in
Juno, hence Juno implements it in its board files as css_init_nic400().
Change-Id: I95a1fb9f13f9b18fa8e915eb4ae2f15264f1b060
This patch changes the type of the base address parameter in the
ARM device driver APIs to uintptr_t (GIC, CCI, TZC400, PL011). The
uintptr_t type allows coverage of the whole memory space and to
perform arithmetic operations on the addresses. ARM platform code
has also been updated to use uintptr_t as GIC base address in the
configuration.
FixesARM-software/tf-issues#214
Change-Id: I1b87daedadcc8b63e8f113477979675e07d788f1
This patch adds the following mbedTLS based libraries:
* Cryptographic library
It is used by the crypto module to verify a digital signature
and a hash. This library relies on mbedTLS to perform the
cryptographic operations. mbedTLS sources must be obtained
separately.
Two key algorithms are currently supported:
* RSA-2048
* ECDSA-SECP256R1
The platform is responsible for picking up the required
algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the
platform makefile. Available options are:
* 'rsa' (for RSA-2048) (default option)
* 'ecdsa' (for ECDSA-SECP256R1)
Hash algorithm currently supported is SHA-256.
* Image parser library
Used by the image parser module to extract the authentication
parameters stored in X509v3 certificates.
Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
This patch adds the authentication framework that will be used as
the base to implement Trusted Board Boot in the Trusted Firmware.
The framework comprises the following modules:
- Image Parser Module (IPM)
This module is responsible for interpreting images, check
their integrity and extract authentication information from
them during Trusted Board Boot.
The module currently supports three types of images i.e.
raw binaries, X509v3 certificates and any type specific to
a platform. An image parser library must be registered for
each image type (the only exception is the raw image parser,
which is included in the main module by default).
Each parser library (if used) must export a structure in a
specific linker section which contains function pointers to:
1. Initialize the library
2. Check the integrity of the image type supported by
the library
3. Extract authentication information from the image
- Cryptographic Module (CM)
This module is responsible for verifying digital signatures
and hashes. It relies on an external cryptographic library
to perform the cryptographic operations.
To register a cryptographic library, the library must use the
REGISTER_CRYPTO_LIB macro, passing function pointers to:
1. Initialize the library
2. Verify a digital signature
3. Verify a hash
Failing to register a cryptographic library will generate
a build time error.
- Authentication Module (AM)
This module provides methods to authenticate an image, like
hash comparison or digital signatures. It uses the image parser
module to extract authentication parameters, the crypto module
to perform cryptographic operations and the Chain of Trust to
authenticate the images.
The Chain of Trust (CoT) is a data structure that defines the
dependencies between images and the authentication methods
that must be followed to authenticate an image.
The Chain of Trust, when added, must provide a header file named
cot_def.h with the following definitions:
- COT_MAX_VERIFIED_PARAMS
Integer value indicating the maximum number of authentication
parameters an image can present. This value will be used by the
authentication module to allocate the memory required to load
the parameters in the image descriptor.
Change-Id: Ied11bd5cd410e1df8767a1df23bb720ce7e58178
The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.
This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.
As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.
A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.
Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.
The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.
IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.
Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
Add a delay timer driver for the ARM SP804 dual timer.
This driver only uses the first timer, called timer 1 in the
SP804 Technical Reference Manual (ARM DDI 0271D).
To use this driver, the BSP must provide three constants:
* The base address of the SP804 dual timer
* The clock multiplier
* The clock divider
The BSP is responsible for calling sp804_timer_init(). The SP804
driver instantiates a constant timer_ops_t and calls the generic
timer_init().
Change-Id: I49ba0a52bdf6072f403d1d0a20e305151d4bc086
Co-authored-by: Dan Handley <dan.handley@arm.com>
The API is simple. The BSP or specific timer driver creates an
instance of timer_ops_t, fills in the timer specific data, then calls
timer_init(). The timer specific data includes a function pointer
to return the timer value and a clock multiplier/divider. The ratio
of the multiplier and the divider is the clock frequency in MHz.
After that, mdelay() or udelay() can be called to delay execution for
the specified time (milliseconds or microseconds, respectively).
Change-Id: Icf8a295e1d25874f789bf28b7412156329dc975c
Co-authored-by: Dan Handley <dan.handley@arm.com>
This patch adds driver for the 16550 UART interface. The driver is exposed
as a console, which platforms can use to dump their boot/crash logs.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The ARM GIC driver treats the entire contents of the GICC_HPPIR as the interrupt
ID instead of just bits[9:0]. This could result in an SGI being treated as a
Group 1 interrupt on a GICv2 system.
This patch introduces a mask to retrieve only the ID from a read of GICC_HPPIR,
GICC_IAR and similar registers. The value read from these registers is masked
with this constant prior to use as an interrupt ID.
FixesARM-software/tf-issues#306
Change-Id: Ie3885157de33b71df9781a41f6ef015a30c4608d
Region 0 is special in TZC-400. It is possible to set the access
permissions for this but not the address range or filters to which
the permissions apply. Add a function for setting the region 0
access permissions.
Also add some VERBOSE logging and allow assembly files to include
the TZC header.
Change-Id: I4389261ba10a6e5e2e43ee93d55318dc507b6648
Even though both CCI-400 and CCI-500 IPs have different configurations
with respect to the number and types of supported interfaces, their
register offsets and programming sequences are similar. This patch
creates a common driver for enabling and disabling snoop transactions
and DVMs with both the IPs.
New platform ports which implement one of these IPs should use this
common driver. Existing platform ports which implement CCI-400 should
migrate to the common driver as the standalone CCI-400 will be
deprecated in the future.
Change-Id: I3ccd0eb7b062922d2e4a374ff8c21e79fa357556
This patch introduces several improvements to the ARM GIC driver:
* In function gicd_set_itargetsr(), target CPU is specified using
the same bit mask detailed in the GICD_ITARGETSRn register instead
of the CPU linear ID, removing the dependency between bit position
and linear ID in the platform porting. The current CPU bit mask
may be obtained by reading GICD_ITARGETSR0.
* PPIs and SGIs are initialized in arm_gic_pcpu_distif_setup().
SPIs are initialized in arm_gic_distif_setup().
* By default, non secure interrupts are assigned the maximum
priority allowed to a non secure interrupt (defined by
GIC_HIGHEST_NS_PRIORITY).
* GICR base address is allowed to be NULL for GICv1 and GICv2.
Change-Id: Ie2837fe860d43b2282e582dfdb13c39c6186f232
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
FixesARM-software/tf-issues#233
Change-Id: I6843fc32ef90aadd3ea6ac4c7f314f8ecbd5d07b
The TZC-400 driver previously allowed the possibility of multiple
controller instances to be present in the same executable. This
was unnecessary since there will only ever be one instance.
This change simplifies the tzc_init() function to only take the
base address argument needed by implementation, conforming to the
driver initialization model of other drivers. It also hides some
of the implementation details that were previously exposed by the
API.
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE TZC-400
DRIVER TO BE UPDATED
FixesARM-software/tf-issues#181
Change-Id: I7b721edf947064989958d8f457d6462d92e742c8
Move the remaining IO storage source file (io_storage.c) from the
lib to the drivers directory. This requires that platform ports
explicitly add this file to the list of source files.
Also move the IO header files to a new sub-directory, include/io.
Change-Id: I862b1252a796b3bcac0d93e50b11e7fb2ded93d6
The intent of io_init() was to allow platform ports to provide
a data object (io_plat_data_t) to the IO storage framework to
allocate into. The abstraction was incomplete because io_plat_data_t
uses a platform defined constant and the IO storage framework
internally allocates other arrays using platform defined constants.
This change simplifies the implementation by instantiating the
supporting objects in the IO storage framework itself. There is now
no need for the platform to call io_init().
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE IO STORAGE
FRAMEWORK TO BE UDPATED.
Change-Id: Ib48ac334de9e538064734334c773f8b43df3a7dc
* Create cci_init() function in CCI-400 driver to allow platform
to provide arguments needed by the driver (i.e. base address
and cluster indices for the ACE slave interfaces).
* Rename cci_(en|dis)able_coherency to
cci_(en|dis)able_cluster_coherency to make it clear that
the driver only enables/disables the coherency of CPU
clusters and not other devices connected to the CCI-400.
* Update FVP port to use new cci_init() function and remove
unnecessary CCI defintions from platform_def.h. Also rename
fvp_cci_setup() to fvp_cci_enable() to more clearly
differentiate between CCI initialization and enabling.
THIS CHANGE REQUIRES PLATFORM PORTS THAT USE THE CCI-400 DRIVER
TO BE UPDATED
FixesARM-software/tf-issues#168
Change-Id: I1946a51409b91217b92285b6375082619f607fec
Assert a valid security state using the macro sec_state_is_valid().
Replace assert() with panic() in those cases that might arise
because of runtime errors and not programming errors.
Replace panic() with assert() in those cases that might arise
because of programming errors.
FixesARM-software/tf-issues#96
Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
This patch adds the CPUECTLR_EL1 register and the CCI Snoop Control
register to the list of registers being reported when an unhandled
exception occurs.
Change-Id: I2d997f2d6ef3d7fa1fad5efe3364dc9058f9f22c
This patch adds baud rate and UART clock frequency as parameters
to the pl011 driver api console_init(). This allows each platform
to specify UART clock and baud rate according to their specific
hardware implementation.
FixesARM-software/tf-issues#215
Change-Id: Id13eef70a1c530e709b34dd1e6eb84db0797ced2
This patch replaces the pl011 console family of functions
with their equivalents defined in assembly. The baud rate is
defined by the PL011_BAUDRATE macro and IBRD and FBRD values
for pl011 are computed statically. This patch will enable
us to invoke the console functions without the C Runtime Stack.
Change-Id: Ic3f7b7370ded38bf9020bf746b362081b76642c7
Refactor the FVP gic code in plat/fvp/fvp_gic.c to be a generic ARM
GIC driver in drivers/arm/gic/arm_gic.c. Provide the platform
specific inputs in the arm_gic_setup() function so that the driver
has no explicit dependency on platform code.
Provide weak implementations of the platform interrupt controller
API in a new file, plat/common/plat_gic.c. These simply call through
to the ARM GIC driver.
Move the only remaining FVP GIC function, fvp_gic_init() to
plat/fvp/aarch64/fvp_common.c and remove plat/fvp/fvp_gic.c
FixesARM-software/tf-issues#182
Change-Id: Iea82fe095fad62dd33ba9efbddd48c57717edd21
Replace the current out-of-line assembler implementations of
the system register and system instruction operations with
inline assembler.
This enables better compiler optimisation and code generation
when accessing system registers.
FixesARM-software/tf-issues#91
Change-Id: I149af3a94e1e5e5140a3e44b9abfc37ba2324476
Previously, platform.h contained many declarations and definitions
used for different purposes. This file has been split so that:
* Platform definitions used by common code that must be defined
by the platform are now in platform_def.h. The exact include
path is exported through $PLAT_INCLUDES in the platform makefile.
* Platform definitions specific to the FVP platform are now in
/plat/fvp/fvp_def.h.
* Platform API declarations specific to the FVP platform are now
in /plat/fvp/fvp_private.h.
* The remaining platform API declarations that must be ported by
each platform are still in platform.h but this file has been
moved to /include/plat/common since this can be shared by all
platforms.
Change-Id: Ieb3bb22fbab3ee8027413c6b39a783534aee474a
This patch introduces a set of functions which allow generic firmware
code e.g. the interrupt management framework to access the platform
interrupt controller. APIs for finding the type and id of the highest
pending interrupt, acknowledging and EOIing an interrupt and finding
the security state of an interrupt have been added. It is assumed that
the platform interrupt controller implements the v2.0 of the ARM GIC
architecture specification. Support for v3.0 of the specification for
managing interrupts in EL3 and the platform port will be added in the
future.
Change-Id: Ib3a01c2cf3e3ab27806930f1be79db2b29f91bcf
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649
Addresses were declared as "unsigned int" in drivers/arm/peripherals/pl011/pl011.h and in function init_xlation_table. Changed to use "unsigned long" instead
FixesARM-software/tf-issues#156
'PL011_BASE' macro is no longer used because the right UART base
address is now directly given to the 'console_init()' function.
This patch removes it.
Change-Id: I94759c99602df4876291a56f9f6a75de337a65ec
Update code base to remove variables from the .data section,
mainly by using const static data where possible and adding
the const specifier as required. Most changes are to the IO
subsystem, including the framework APIs. The FVP power
management code is also affected.
Delay initialization of the global static variable,
next_image_type in bl31_main.c, until it is realy needed.
Doing this moves the variable from the .data to the .bss
section.
Also review the IO interface for inconsistencies, using
uintptr_t where possible instead of void *. Remove the
io_handle and io_dev_handle typedefs, which were
unnecessary, replacing instances with uintptr_t.
FixesARM-software/tf-issues#107.
Change-Id: I085a62197c82410b566e4698e5590063563ed304
Reduce the number of header files included from other header
files as much as possible without splitting the files. Use forward
declarations where possible. This allows removal of some unnecessary
"#ifndef __ASSEMBLY__" statements.
Also, review the .c and .S files for which header files really need
including and reorder the #include statements alphabetically.
FixesARM-software/tf-issues#31
Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
Add tag names to all unnamed structs in header files. This
allows forward declaration of structs, which is necessary to
reduce header file nesting (to be implemented in a subsequent
commit).
Also change the typedef names across the codebase to use the _t
suffix to be more conformant with the Linux coding style. The
coding style actually prefers us not to use typedefs at all but
this is considered a step too far for Trusted Firmware.
Also change the IO framework structs defintions to use typedef'd
structs to be consistent with the rest of the codebase.
Change-Id: I722b2c86fc0d92e4da3b15e5cab20373dd26786f
Move the function prototypes from gic.h into either gic_v2.h or
gic_v3.h as appropriate. Update the source files to include the
correct headers.
Change-Id: I368cfda175cdcbd3a68f46e2332738ec49048e19
Make codebase consistent in its use of #include "" syntax for
user includes and #include <> syntax for system includes.
FixesARM-software/tf-issues#65
Change-Id: If2f7c4885173b1fd05ac2cde5f1c8a07000c7a33
Move the FVP power driver to a directory under the FVP platform
port as this is not a generically usable driver.
Change-Id: Ibc78bd88752eb3e3964336741488349ac345f4f0
Move almost all system include files to a logical sub-directory
under ./include. The only remaining system include directories
not under ./include are specific to the platform. Move the
corresponding source files to match the include directory
structure.
Also remove pm.h as it is no longer used.
Change-Id: Ie5ea6368ec5fad459f3e8a802ad129135527f0b3
Antonio Nino Diaz
Benjamin Fair
Daniel Boulby
Dimitris Papastamos
Roberto Vargas
Amit Daniel Kachhap
Michalis Pappas
Jeenu Viswambharan
Dan Handley
fengbaopeng
davidcunado-arm
Julius Werner
Qixiang Xu
Etienne Carriere
Soby Mathew
Isla Mitchell
Varun Wadekar
Haojian Zhuang
Nishanth Menon
Qixiang.Xu
Caesar Wang
Gerald Lejeune
Yatharth Kochar
Soren Brinkmann
Vikram Kanigiri
Juan Castillo
Sandrine Bailleux
Achin Gupta
Juan Castillo
Ryan Harkin
Andrew Thoelke
Lin Ma